[Hardy] [CVE-2010-4242] [PATCH 1/1] bluetooth: Fix missing NULL check, CVE-2010-4242

Brad Figg brad.figg at canonical.com
Fri Feb 11 20:35:19 UTC 2011


From: Alan Cox <alan at linux.intel.com>

CVE-2010-4242

BugLink: http://bugs.launchpad.net/bugs/714846

Fortunately this is only exploitable on very unusual hardware.

[Reported a while ago but nothing happened so just fixing it]

Signed-off-by: Alan Cox <alan at linux.intel.com>
Cc: stable at kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

(backported from commit c19483cc5e56ac5e22dd19cf25ba210ab1537773)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
 drivers/bluetooth/hci_ldisc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 998833d..17361ba 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -256,9 +256,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
 
 	BT_DBG("tty %p", tty);
 
+	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+	   the pointer */
 	if (hu)
 		return -EEXIST;
 
+	/* Error if the tty has no write op instead of leaving an exploitable
+	   hole */
+	if (tty->driver->write == NULL)
+		return -EOPNOTSUPP;
+
 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
 		BT_ERR("Can't allocate control structure");
 		return -ENFILE;
-- 
1.7.4




More information about the kernel-team mailing list